The JBoss AS deployment configuration does not correctly reference the right JAAS policy

The configuration file in the JBoss AS kit of ModeShape does not define the JAAS policy name, and so ModeShape defaults to use the 'modeshape-jcr' policy. However, in the 'modeshape-jboss-beans.xml' file, we're configuring the JAAS policy with the name 'modeshape'.

We've not seen this so far because all interaction with the ModeShape service has been through the WebDAV or RESTful services, and in these web apps JBoss AS is already authenticating the user with JAAS before the webapps attempt to get a JCR Session (without credentials, as there is already a JAAS LoginContext). However, should a web application attempt to get a JCR Session without a priori authenticating with JAAS and instead supplying a Credentials object to the 'login(...)' method, ModeShape would attempt to authenticate the user with those credentials using the 'modeshape-jcr' JAAS policy rather than the 'modeshape' policy we define in the 'modeshape-jboss-beans.xml' file.

Therefore, to fix, we need to explicitly specify the name of the JAAS policy via the JcrRepository.Option.JAAS_CONFIGURATION_NAME option.